MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
SHA3-384 hash: 63c18096c32966ccee8db701a707736cf067c40488deced2f0000040659488a88e400b5ad91547a46755ed084b3fa32e
SHA1 hash: ca3d012e8eb831d9ed423b009f136c82ebe5f4aa
MD5 hash: a121bd85898596ce6dabd73df1422b66
humanhash: missouri-sweet-texas-lake
File name:Satinalma Siparisi Listesi.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:638'464 bytes
First seen:2021-07-08 11:39:47 UTC
Last seen:2021-07-08 12:51:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3768a75eba55604b789706b6a238d1c (2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:QLyh5Wt60Cibp9t/iOWccO3hTWjSiuPBR5lpbTYw:QLmH0N9Wl0TGSBR
Threatray 56 similar samples on MalwareBazaar
TLSH T174D46B23F7418037D1675534DD1F6B64A827BE94BE105EE31AF6FA8C5E37B827860282
Reporter malwarelabnet
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Satinalma Siparisi Listesi.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-08 11:42:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f7c46d7-839d-417c-9665-0bfad3754fa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170427/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f6c67573-267a-44a6-ad5e-a612a8b36489
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813444
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445855 Sample: Satinalma Siparisi Listesi.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 29 zzful.com 2->29 31 www.zzful.com 2->31 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 5 other signatures 2->43 11 Satinalma Siparisi Listesi.exe 17 2->11         started        signatures3 process4 dnsIp5 35 cdn.discordapp.com 162.159.134.233, 443, 49724, 49725 CLOUDFLARENETUS United States 11->35 53 Writes to foreign memory regions 11->53 55 Allocates memory in foreign processes 11->55 57 Creates a thread in another existing process (thread injection) 11->57 59 Injects a PE file into a foreign processes 11->59 15 DpiScaling.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.thebusinessfitclub.com 213.171.195.105, 49743, 80 ONEANDONE-ASBrauerstrasse48DE United Kingdom 18->33 45 System process connects to network (likely due to code injection or exploit) 18->45 22 cmstp.exe 18->22         started        signatures11 process12 signatures13 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 08:05:42 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37fbx45cxrrq4yhoanvq7vn6kwzpfncopxeneac3q3lwhp6hzcwa._file
Verdict:
suspicious
Similar samples:
4cadcc2d7a8ecf067470f99305eca7473fb339936290259643ece74a8502dfb3
Formbook
660b2eb5749963f118e49c2f7f3b253b1563a9f99063ba29122f2b6bb72cb6fc
Formbook
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
Formbook
6e75af8d5d325800f4cfcaab0ec5a96976011f10544863ec3f75ee2a21eaded3
Formbook
6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Formbook
85adf569d259dc53c5099fea6e90ff3a614a406b4308ebdf9f40e8bed151f526
Formbook
90f1f2860133ac9c3912346b2c8691e1567741680c4bf007927c2241a62a35d2
Formbook
ab893fbabe7b944a559507848df6549660cfb33de9d4b0da6d645690981c662a
Formbook
ceed0ebc3f52b44accb06cfe1828133c66665a27146a08dfca26fd77ad6e0474
Formbook
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
Formbook
+ 46 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat spyware stealer trojan
Link:
https://tria.ge/reports/210708-n7bqnphtfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Formbook Payload
Formbook
Malware Config
C2 Extraction:
http://www.jakesplacebarbers.com/3nop/
Unpacked files
SH256 hash:
1fd7371f99d6d6c22279f208d56c7030cc4a7807c44eca52aceb56d7f67ce794
MD5 hash:
135e22fb2a688966b3e75e16441f9d18
SHA1 hash:
5364d1af468956d5b0341c5f43aaf674679f7a32
Link:
https://www.unpac.me/results/e94c37c7-2df1-4954-81e8-310abcc96295/
SH256 hash:
dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac
MD5 hash:
a121bd85898596ce6dabd73df1422b66
SHA1 hash:
ca3d012e8eb831d9ed423b009f136c82ebe5f4aa
Link:
https://www.unpac.me/results/e94c37c7-2df1-4954-81e8-310abcc96295/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfca1bf3a2bc630e60ee036b0fd5be55b2f2b44e7dc8d2005b86d763bfc7c8ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170427/

Comments